Personal data means information relating to an identified or identifiable natural person (e.g., data subject). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Processing of personal data is regulated by law. For example, a panoply of federal privacy-related laws including, among others, The Federal Trade Commission Act (15 U.S.C. §§ 41-58) (FTC Act), The Financial Services Modernization Act (Gramm-Leach-Bliley Act (GLB)) (15 U.S.C. §§ 6801-6827), The Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. § 1301 et seq.), The Electronic Communications Privacy Act (18 U.S.C. § 2510), and the Computer Fraud and Abuse Act (18 U.S.C. § 1030) regulates collection and use of personal data in United States of America (USA). A data protection directive (official Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data) regulates the processing of personal data within European Union (EU). Directive 95/46/EC is due to be replaced by General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) on May 25, 2018.
In accordance with law regulations, personal data of a data subject (e.g., a customer) may be collected by a data controller (e.g., a company) based on criteria of lawful processing of personal data. For example, lawful processing of personal data may be performed in relation to performance of a contract, a legal obligation, etc. A natural or legal person, public authority, agency or any other entity which alone or jointly with others determines purposes and means of the processing of the personal data can be referred to as data controller. Alternatively, personal data may be collected based on consent. The consent is an informed consent for the data controller provided by the data subject to processing of personal data in written or electronic form. Companies often run analytical processes on personal data that they possess to gain information and to improve decision making regarding strategic, tactical, and operational activities. Normally, the personal data is blocked for access or deleted after primary purpose and legal retention time is over.